Why Is Wordpress Easy To Hack

Tracy Perry

Opinionated asshat
Joined
May 25, 2013
Messages
4,991
sites trying to get traffic, or comments - nothing good comes out enabling either of them.
the "getting traffic" is a minimal issue. When you have a bot system using it to issue attacks it can bring a site down.
Sucuri's article gives some information a small one
In a recent case we investigated, 26,000 different WordPress sites were generating a sustained rate of 10,000 to 11,000 HTTPS requests per second against one website.
The Layer 7 attack vector it uses is a little harder to protect against without some work.
There is a list of some known sites that have not disabled it and have been used in attacks.. that's what is included in the article I have at https://servinglinux.com/articles/entry/3-ipset-to-block-ip-s-via-csfpre-sh/ for CSF ipset use.
 
Last edited:

pierce

Habitué
Joined
Apr 10, 2016
Messages
1,171
Serious WordPress people should host with WordPress or use a web application firewall.

WordPress is also easy to download and anybody can read through the source. As such anybody can develop attacks which can be easily verified on their local computer.

If I was a webhost I dunno how I would keep up with the number of WordPress installs.
 

ManagerJosh

Adherent
Joined
Oct 24, 2004
Messages
332
If I was a webhost I dunno how I would keep up with the number of WordPress installs.
I would go through everyone's wp-config.php's and add the following line:

PHP:
define( 'WP_AUTO_UPDATE_CORE', true );
It would force automatic updates constantly to the core.

If I'm really anal about wordpress security, I would also add:

PHP:
add_filter( 'auto_update_theme', '__return_true' );
add_filter( 'auto_update_plugin', '__return_true' );
 

aesthetiqclinic

Aspirant
Joined
Feb 16, 2018
Messages
31
Wordpress is easy to hack only when you are using nulled themes. because using nulled themes you open backdoor for your website from where a hacker can easily enter and hack your website easily. Basically it is secure but when you are not using any security plugin or using nulled themes you will get your website hacked.
 

zappaDPJ

Administrator
Joined
Aug 26, 2010
Messages
7,124
Wordpress is easy to hack only when you are using nulled themes.
Legitimately bought themes are just as vulnerable, especially when they rely on scripts such as TimThumb. In fact the only site I've ever had hacked occurred after I installed a premium theme from RocketTheme which came supplied with an outdated version of the aforementioned plugin.
 

WPer

Neophyte
Joined
Jan 18, 2019
Messages
4
WordPress itself is safe enough. But anyone can't ensure that the third party plugins and themes are as secure as WordPress. There are full of vulnerable plugins and themes on the market.
 

R0binHood

Habitué
Joined
Nov 23, 2011
Messages
1,361
Yeah, there was another big security flaw in a popular abandoned cart plugin recently. A good write up on it here.

https://www.wordfence.com/blog/2019...art-plugin-leads-to-wordpress-site-takeovers/

User data that was scraped for the abandoned cart plugin as users typed in their details at checkout wasn't sanitised. So an attacker could perform a XSS attack. When the admins loaded the details in the backend it would load a hidden iframe and it would create a new rogue admin account in the background without the admins knowledge.
 

overcast

Adherent
Joined
Mar 17, 2019
Messages
420
A lot of people don't upgrade the themes and plugins. And often that creates loophole. Wordpress has managed to upgrade the core automatically from the hosting side. And this has solved some amount of problem. But some of the plugins open up a hole for the wordpress backend being hacked.
 

zappaDPJ

Administrator
Joined
Aug 26, 2010
Messages
7,124
It is relevant but the pedants among us might be inclined to point out that the infographic data quoted in the blog espousing WordPress vulnerabilities actually suggests that WordPress itself is 100% impervious to vulnerabilities.

41% get hacked through vulnerabilities in their hosting platform
29% by means of an insecure theme
22% via a vulnerable plugin
8% because of weak passwords
That equals 100% of vulnerabilities, insecurities and just plain ignorance of security, none of which can be blamed on WordPress.
 

cheat_master30

Moderator
Joined
Jan 16, 2010
Messages
3,852
It's not really WordPress itself that's 'easy to hack'. It's the plugins and themes that are the major security factor here, and the cause for most WordPress site hackings. The skill level for your average WordPress plugin developer is all over the place, and with quite a few being hobbyists who are still learning to program while making these things, mistakes are often made. Like in any script with add ons really. You can only keep them all updated and hope the devs know what they're doing.
 

overcast

Adherent
Joined
Mar 17, 2019
Messages
420
Yesterday there was one security issue with plugin named "Social Warfare". No matter your wordpress is updated or not, this plugin had option to link to another websites and some of the scam or say hacked links were added into it. I am guessing they removed this plugin from the wordpress directory.
 
Top